Vulnerability ID:CVE-2020-7955 Release Date: January 29, 2020 Affected Products/Versions: Previous versions of Consul and Consul Enterprise; fixed in 1.6.3.
A low risk vulnerability was identified in Consul and Consul Enterprise (“Consul”) HTTP API such that the endpoints v1/agent/health/service/* did not enforce acl. This vulnerability affects Consul releases 1.4.1 until 1.6.2, and is fixed in 1.6.3
This adds acl enforcement to the two endpoints that were missing it.
Note that in the case of getting a services health by its id, we still must first lookup the service so we still "leak" information about a service with that ID existing. There isn't really a way around it though as ACLs are meant to check service names.
Vulnerability Details
Even with an agent with ACLs enabled and with a default “deny” policy, these endpoints still leak some service and check information. The data leaked looks like:
So in here, we have service names and ids, overall health, ports, any metadata and a list of checks. That list of checks will contain the node name, check name, notes and check output to mention a few things.
The only thing that makes this less bad is that the HTTP API is normally served via localhost (although a user can override that). In that case you would have to be on the machine already in order to figure out the service and check info (which would also be found in the data dir of Consul)
Remediation
Customers should upgrade to Consul or Consul Enterprise 1.6.3, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.
The text was updated successfully, but these errors were encountered:
hanshasselberg
changed the title
Reserved Issue Number
Add ACL enforcement to the v1/agent/health/service/* endpoints
Jan 30, 2020
Vulnerability ID: CVE-2020-7955
Release Date: January 29, 2020
Affected Products/Versions: Previous versions of Consul and Consul Enterprise; fixed in 1.6.3.
A low risk vulnerability was identified in Consul and Consul Enterprise (“Consul”) HTTP API such that the endpoints
v1/agent/health/service/*did not enforce acl. This vulnerability affects Consul releases 1.4.1 until 1.6.2, and is fixed in 1.6.3This adds acl enforcement to the two endpoints that were missing it.
Note that in the case of getting a services health by its id, we still must first lookup the service so we still "leak" information about a service with that ID existing. There isn't really a way around it though as ACLs are meant to check service names.
Vulnerability Details
Even with an agent with ACLs enabled and with a default “deny” policy, these endpoints still leak some service and check information. The data leaked looks like:
[ { "AggregatedStatus": "passing", "Service": { "ID": "web", "Service": "web", "Tags": [], "Meta": {}, "Port": 1234, "Address": "", "Weights": { "Passing": 1, "Warning": 1 }, "EnableTagOverride": false, "Namespace": "default" }, "Checks": [] } ]So in here, we have service names and ids, overall health, ports, any metadata and a list of checks. That list of checks will contain the node name, check name, notes and check output to mention a few things.
The only thing that makes this less bad is that the HTTP API is normally served via localhost (although a user can override that). In that case you would have to be on the machine already in order to figure out the service and check info (which would also be found in the data dir of Consul)
Remediation
Customers should upgrade to Consul or Consul Enterprise 1.6.3, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.
The text was updated successfully, but these errors were encountered: